|Testing signatures from the command line||Christopher Piggott||11/10/11 8:25 AM|
I am trying to verify signatures from the command line, just as a
test. Steps I took:
1) generate the key with:
openssl req -x509 \
-days 365 \
-newkey rsa:1024 \
-subj '/C=US/ST=NY/ [ other stuff ]' \
-keyout privatekey.pem \
2) upload certificate.pem into google domain manager
3) make a request, and capture the verification. Google says it has
signed 17 fields:
4) In the exact same order as listed above, put all those fields in
the Key-Value Form Encoding format. I'm going to obscure what it
actually returned, but basically show you the idea of what this looks
There are a total of 17 of these, each line ends in \n.
4) Google sent me an openid.sig ... I turned this into hex by doing
echo $SIGNATURE | base64 -d | hexdump -v -e '/1 "%02X "'
and I ended up with 20 bytes (160 bits) which matches an SHA1
signature, which is what I expected.
So here's the question. Can I use the Key-Value Form Encoding file
that I created, and the privatekey.pem file, to verify the signature
openssl dgst -hmac (something) ?
I haven't figured it out yet, but it seems like there must be a way.
|Re: [google-federated-login-api] Testing signatures from the command line||John Bradley||11/14/11 6:02 AM|
OpenID 2.0 uses symmetric HMAC signatures.
I don't know what the RSA key is for in your example.
You must perform an association call and get a secret and association handle first.
The association handle must be part of the request.
You then perform a HMAC SHA1 verification of the response using the body and the secret.
The openID 2.0 spec provides the information.
So the answer is no the pem file has nothing to do with the openID signature.